Communication is the cornerstone of business and personal relationships. Today, people in offices and homes do a great deal of communicating over computer networks and expect such communication to be reliable and their data secure. Therefore, network security has become a major concern for Internet Service Providers (ISPs) and company network administrators. Network security seeks to prevent hackers from attacking a network and disrupting the flow of communication, productivity, and overall service.
Hacker is a slang term used to refer to individuals who attack or gain unauthorized access to computer systems for the purpose of manipulating and/or stealing data and/or disrupting the flow of data in and out of a network. Hacking can occur from within or from outside the network being hacked.
Two common objectives of a network attack are to obtain access to data and to deny service to authorized users. Firewalls are frequently used to prevent unauthorized Internet users from accessing data on networks connected to the Internet. Firewalls can be implemented in both hardware and software, or a combination of both. All packets entering or leaving the network pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria. However, firewalls do not prevent denial of service attacks created by broadcast storms.
Broadcast traffic in a layer two network is sent out to every node on the network or a portion of the network. One typical use for a broadcast is for address resolution when the location of a user or server is not known. A broadcast flood is the transmission of broadcast traffic throughout an entire layer two network. A broadcast storm is an excessive amount of broadcast flooding. A broadcast storm can occur by chance, whereby a large number of users imitate one or more requests, or by a malicious attack where a hacker purposefully initiates valid or invalid requests to the network. Broadcasts may also occur when clients and servers come online and identify themselves. In all cases, the broadcast has to reach all possible stations that might potentially respond.
Broadcast storms are a recurring issue within many organization networks as broadcast traffic has increased with the growth, utility, and value of their networks. To understand why this is so, consider how network environments have changed with the advent of routers. A router is a layer three device that determines the next hop to which a packet should be forwarded toward its destination using layer three addresses, such as Internet Protocol (IP) addresses. The router is connected to at least two networks and decides which way to send each packet based on its current understanding of the state of the networks it is connected to. A switch is a layer two device that filters and forwards packets between Local Area Network (LAN) segments using layer two addresses, such as Media Access Control (MAC) addresses, and operates independently from layer three protocols (e.g., IP). Unlike a router or its functional equivalent, a switch does not require any knowledge of the network topology. In the case where no forwarding information is found in the forwarding database for a unicast packet whose destination is unknown, or the packet is a broadcast, the switch will flood the packet to all nodes or devices in the network in an effort to reach the destination device. A MAC address is a hardware address that uniquely identifies each node or device on a network.
FIG. 1 shows Address Resolution Protocol (ARP) packet protocol fields. The protocol address space 102 specifies the type of protocol or packet type, such as IP. The operation code 104 specifies whether the packet is an ARP request packet or an ARP reply packet. The hardware address of the sender 106 and the protocol address of the sender 108 are the sender's MAC address and IP address, respectively. An IP address is an identifier for a computer or device on a Transmission Control Protocol/Internet Protocol (TCP/IP) network. Networks using the TCP/IP protocols route packets based on the IP address of the destination. The protocol address of the target 112 is the destination IP address of the machine the sender is trying to contact. Because the purpose of an ARP request packet is to resolve the target MAC address, the hardware address of the target 110 is undefined in a request packet and would only be defined in an ARP response packet.
FIG. 2 shows a conventional method of dealing with broadcast/unicast flooding in an effort to limit broadcast storm damage to a network. A network device, such as a switch, will set rising and falling threshold parameters (step 202) for the number of flooded broadcast/unicast packets the device may receive. The network device receives a packet to flood (e.g., broadcast or unknown unicast) (step 204) and checks to see if the number of requests has exceeded the rising threshold parameter (step 206). If the number of requests has not exceeded the rising threshold parameter, the device floods the request to all network ports (step 208) and continues to receive new requests (step 204). If the rising threshold parameter has been exceeded, the device does not flood the packet (step 210) but checks to see if the number of requests has fallen below the falling threshold parameter (step 212). The device will continue to ignore further requests (step 210) as long as the number of requests is above the falling threshold parameter. When the number of requests falls below the falling threshold parameter, the device again continues to flood requests (step 204). This solution, however, is inadequate because although it may shorten the time interval of the flood, there is still a denial of service while the threshold parameters are exceeded and the method fails to deal with the issue of flooding broadcast packets to all nodes.
Another problem that arises in connection with ARP traffic is ARP response spoofing. This occurs when a hacker fakes a response to an ARP request. In such cases the IP host/router, which sent the ARP request, will associate the target IP address with the MAC address belonging to the malicious user. The result is that traffic intended for a legitimate user will be forwarded to the malicious user, thus compromising security and denying service to the sender and intended receiver.